On 3/25/19 7:28 AM, Kenneth MacDonald wrote: > If this behaviour is impossible, I will have to ensure all my > management hosts default to the same realm that they are managing. Or > is there something I am missing?
I don't think it can work with kadmin -k (authenticating from keytab), because kadmin will try to use the keytab to directly get credentials for the server realm with an AS request. Since is no cross-realm for AS requests, it winds up getting credentials for the client realm instead. I was able to make cross-realm kadmin work in a test environment with kadmin -c. I ran kinit normally, then used kvno to explicitly get tickets for kadmin/admin@TEST. The kvno step is necessary because kadmin -c expects the necessary credential to already be present in the ccache; it won't make a TGS request for them. Then I ran kadmin -c /path/to/ccache -r TEST. Of course I also had to remove the DISALLOW_TGT_BASED flag from the kadmin/admin@TEST principal entry, as you did in your tests. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
